Weak keys in the rekeying paradigm : application to COMET and mixFeed
In this paper, we study a group of AEAD schemes that use rekeying as a technique to increase efficiency by reducing the state size of the algorithm. We provide a unified model to study the behavior of the keys used in these schemes, called Rekey-and-Chain (RaC). This model helps understand the desig...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2020
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/145133 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-145133 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1451332023-02-28T19:36:28Z Weak keys in the rekeying paradigm : application to COMET and mixFeed Khairallah, Mustafa School of Physical and Mathematical Sciences Library and information science::Cryptography Weak Keys Authenticated Encryption In this paper, we study a group of AEAD schemes that use rekeying as a technique to increase efficiency by reducing the state size of the algorithm. We provide a unified model to study the behavior of the keys used in these schemes, called Rekey-and-Chain (RaC). This model helps understand the design of several AEAD schemes. We show generic attacks on these schemes based on the existence of certain types of weak keys. We also show that the borderline between multi-key and single-key analyses of these schemes is not solid and the analysis can be performed independent of the master key, leading sometimes to practical attacks in the multi-key setting. More importantly, the multi-key analysis can be applied in the single key setting, since each message is encrypted with a different key. Consequently, we show gaps in the security analysis of COMET and mixFeed in the single key setting, which led the designers to provide overly optimistic security claims. In the case of COMET, full key recovery can be performed with 2^64 online queries and 2^64 offline queries in the single-key setting, or 2^46 online queries per user and 2^64 offline queries in the multi-key setting with ∼ 0.5 million users. In the case of mixFeed, we enhance the forgery adversarial advantage in the single-key setting with a factor of 2^67 compared to what the designers claim. More importantly, our result is just a lower bound of this advantage, since we show that the gap in the analysis of mixFeed depends on properties of the AES Key Schedule that are not well understood and require more cryptanalytic efforts to find a more tight advantage. After reporting these findings, the designers updated their security analyses and accommodated the proposed attacks. Published version 2020-12-14T01:38:59Z 2020-12-14T01:38:59Z 2020 Journal Article Khairallah, M. (2020). Weak keys in the rekeying paradigm : application to COMET and mixFeed. IACR Transactions on Symmetric Cryptology, 2019(4), 272-289. doi:10.13154/tosc.v2019.i4.272-289 2519-173X https://hdl.handle.net/10356/145133 10.13154/tosc.v2019.i4.272-289 4 2019 272 289 en IACR Transactions on Symmetric Cryptology © 2020 Mustafa Khairallah. This work is licensed under a Creative Commons Attribution 4.0 International License. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Library and information science::Cryptography Weak Keys Authenticated Encryption |
| spellingShingle |
Library and information science::Cryptography Weak Keys Authenticated Encryption Khairallah, Mustafa Weak keys in the rekeying paradigm : application to COMET and mixFeed |
| description |
In this paper, we study a group of AEAD schemes that use rekeying as a technique to increase efficiency by reducing the state size of the algorithm. We provide a unified model to study the behavior of the keys used in these schemes, called Rekey-and-Chain (RaC). This model helps understand the design of several AEAD schemes. We show generic attacks on these schemes based on the existence of certain types of weak keys. We also show that the borderline between multi-key and single-key analyses of these schemes is not solid and the analysis can be performed independent of the master key, leading sometimes to practical attacks in the multi-key setting. More importantly, the multi-key analysis can be applied in the single key setting, since each message is encrypted with a different key. Consequently, we show gaps in the security analysis of COMET and mixFeed in the single key setting, which led the designers to provide overly optimistic security claims. In the case of COMET, full key recovery can be performed with 2^64 online queries and 2^64 offline queries in the single-key setting, or 2^46 online queries per user and 2^64 offline queries in the multi-key setting with ∼ 0.5 million users. In the case of mixFeed, we enhance the forgery adversarial advantage in the single-key setting with a factor of 2^67 compared to what the designers claim. More importantly, our result is just a lower bound of this advantage, since we show that the gap in the analysis of mixFeed depends on properties of the AES Key Schedule that are not well understood and require more cryptanalytic efforts to find a more tight advantage. After reporting these findings, the designers updated their security analyses and accommodated the proposed attacks. |
| author2 |
School of Physical and Mathematical Sciences |
| author_facet |
School of Physical and Mathematical Sciences Khairallah, Mustafa |
| format |
Article |
| author |
Khairallah, Mustafa |
| author_sort |
Khairallah, Mustafa |
| title |
Weak keys in the rekeying paradigm : application to COMET and mixFeed |
| title_short |
Weak keys in the rekeying paradigm : application to COMET and mixFeed |
| title_full |
Weak keys in the rekeying paradigm : application to COMET and mixFeed |
| title_fullStr |
Weak keys in the rekeying paradigm : application to COMET and mixFeed |
| title_full_unstemmed |
Weak keys in the rekeying paradigm : application to COMET and mixFeed |
| title_sort |
weak keys in the rekeying paradigm : application to comet and mixfeed |
| publishDate |
2020 |
| url |
https://hdl.handle.net/10356/145133 |
| _version_ |
1759854562902016000 |